Vens¶

Your scanner found 300 CVEs. Which ones actually matter?

Give Vens a Trivy or Grype report plus a short description of your system — exposure, data sensitivity, compliance, security controls — and it scores every CVE based on its real risk to you, not just its generic CVSS severity.

The output is a CycloneDX VEX file with OWASP Risk Rating scores.

What you get¶

Example scenario	Before Vens	After Vens
Generic RCE in a library whose vulnerable code path is never executed in your build	CVSS 8.8 HIGH	OWASP 10.0 LOW — not reachable in your runtime
Information leak in a request handler that processes PII under GDPR	CVSS 5.3 MEDIUM	OWASP 52.0 HIGH — leaks PII in a GDPR workload
300 CVEs in your report	All urgent	~30 actually urgent

The two rows above are illustrative scenarios to show how contextual scoring moves a CVSS score in both directions. Actual scores depend on your config.yaml and the LLM model you use.

Result: fix what matters. Stop wasting cycles on CVEs that don't apply to your system.

How it works¶

┌───────────┐     ┌──────────────┐     ┌────────────────┐     ┌──────────────┐
│  Trivy    │     │  config.yaml │     │                │     │ CycloneDX    │
│  or       │────▶│  (your       │────▶│   vens         │────▶│ VEX with     │
│  Grype    │     │  context)    │     │   generate     │     │ OWASP scores │
└───────────┘     └──────────────┘     └────────────────┘     └──────────────┘
                                              │
                                              ▼
                                       ┌──────────────┐
                                       │  LLM         │
                                       │  (OpenAI,    │
                                       │  Anthropic,  │
                                       │  Ollama,     │
                                       │  Google AI)  │
                                       └──────────────┘

Vens reads your scanner report, combines it with your system context (exposure, data sensitivity, compliance, controls), and asks an LLM to compute a real risk score for every CVE — one at a time.

Start here¶

:material-download: Install Vens Three commands, three options.
:material-rocket-launch: Quickstart (5 minutes) Your first VEX file from a real image.
:material-sort-descending: Prioritize a CVE backlog The most common use case.
:material-cog: Describe your context The step that makes scores accurate.
:material-arrow-collapse-right: Enrich your report Fold OWASP scores back into your Trivy report.
:material-github: GitHub Actions Drop vens into your CI pipeline.

Is Vens for me?¶

Vens is built for:

Security engineers drowning in CVE backlogs from Trivy / Grype / Dependency-Track.
DevSecOps teams who need machine-readable VEX to suppress noise in CI.
Lead security architects who want risk scores that reflect business impact, not generic CVSS.

Vens is not a scanner. You still need Trivy or Grype to find CVEs — Vens tells you which ones to care about.

Before you commit¶

Before adopting Vens in production, read these three short pages — they tell you exactly what you're getting into:

Privacy and data flow — what is (and isn't) sent to your LLM provider.
Limitations — the things Vens deliberately does not guarantee (reproducibility, benchmarks, BAA, and more).
Vens vs alternatives — where Vens sits in the ecosystem (vexctl, vexllm, Dependency-Track, reachability tools).

License¶

Apache 2.0 — LICENSE